I don't even know where to start with this one. I'm using a theme that requires me to override server php.ini settings in my own php.ini with allow_url_include = on

That setting at very least seems to be a security risk, according to many (and my webhost) at most it requires some other users on some other hosts to add that line to their own php.ini files or some theme features won't work.

(Some popular hosts like Bluehost have allow_url_include = on as default.)

Anyone know where in the theme functions to look to a) find what requires allow_url_include = on and b) how to start working on it to change it?

To find out if/where the Theme fails if allow_url_include is disabled, have you tried setting it to false, and seeing what errors get thrown? (Note: you might need to set define( 'WP_DEBUG', true ) in wp-config.)
–
Chip BennettApr 1 '11 at 22:31

Good point, but all I see in the theme are jQuery warnings that say "http error" and no php errors for URLs are logged, except for some database errors. Seems to have something to do with the JS image uploader.
–
markratledgeApr 1 '11 at 22:53

So, that narrows it down a bit, right? Those errors strongly indicate that the include is for a script. :) Do the error messages indicate the URL of the script that's throwing the errors? Might help you narrow down where they are in the Theme...
–
Chip BennettApr 1 '11 at 23:12

2 Answers
2

Okay, first off, that's an incredibly badly made theme. Your item number 2 there indicates to me that he making AJAX calls in entirely the wrong way.

Secondly, look for anything in the theme that is using http but not in a link. allow_url_include basically lets you include some PHP from a remote site, which is indeed bad, but he might just be using it wrong.

If the theme was freely available, I could look at it and give you more information. Is this theme available for download?

I appreciate the look at this stuff. I added two more http examples, 5 and 6, if they might be the problem. It's a premium theme, but if you feel up for it, I could email it to you. I do support for the theme, and it's a PITA due to the bugs, but the dev says there's nothing wrong with it.
–
markratledgeApr 1 '11 at 22:42

Why would a url include be required just to use an external script, anyway? Shouldn't wp_register_script( $name, $src ) with wp_enqueue_script( $name ) handle it just fine?
–
Chip BennettApr 1 '11 at 23:13

allow_url_include is for doing remote includes, eg. include 'http://example.com/someremotefile.php'; ... which is risky enough on it's own, it's a pretty much guaranteed entry point for a hacker if any user input is passed into those remote includes, eg. include $somevar_with_user_input;
–
t31osApr 2 '11 at 13:33

@t31os - none taken. With my limited knowledge, even I could see problems with the theme before I posted this, but the dev is defensive about it. So it looks like #5 above is one problem? Calling those presets from the home domain of the theme seller?
–
markratledgeApr 3 '11 at 18:43

Requiring allow_url_include seems quite weird for a theme, I can't think of a reason for it to be necessary.

Anyway if you want to find out where it might be needed, scan the theme's files for instances of include, include_once, require and require_once as these are the PHP functions on which that directive has effect.

That makes sense; I added some of the include constructs I found. Do any of them look problematic?
–
markratledgeApr 1 '11 at 21:16

1

None of those includes uses an URL, so I'm confused by the requirement. Also I can't see the point of those nested dirname()s, or of including wp-config.php. Weird to say the least
–
Matteo RivaApr 1 '11 at 21:21

Added a few more examples in my question....
–
markratledgeApr 3 '11 at 18:43